Featured In

Imagine you’re watching a science fiction show in the 1970s. You see doctors diagnosing patients by manipulating robots from a world away. You see consumers talking to customer service agents on screens giving them personal shopping recommendations. You see a report filed in a little pad, secured by a fingerprint. You see nuclear-powered flying cars. Well, aside from that last one, we’re pretty much there with VoIP and modern Cloud technology.

Cartoons and shows with big, rubbery monsters showed those technologies only being used for good.

But, in the real world, there are real risks and real regulation to mitigate those risks. Valuable information goes through those cables and servers every second, and some sectors have special rules, which have evolved over time to adapt to advanced in technology. Here is a list of some of the regulating standards you’ll want to be familiar with when it comes to your VoIP, and other data networks.

Note: We are only covering regulations that pertain to electronic communication, and digital or personal information storage.

1. CPNI

– What is it?
The Customer Proprietary Network Information is information that telecommunications service providers gather about their subscribers. Specifically, it links together the type of service the subscribers use, the amount it is used, and what type. For example, a wireless provider can track how often you use your phone, and that you use it for both social networking and calling. The information is supposed to be kept private, but only if the customer opts out. If the customer does not opt out, the provider can pass along that information to marketers to sell other services, as long as the customer is notified. If you leave your provider for another one, the company is forbidden to use the CPNI to try to get you back. If you wish to opt out of the CPNI, you can Google “CPNI opt out (your provider name)” and follow the instructions you find.

– Who Does it Affect?
Any telecommunications provider is subject to CPNI restriction. But, how much information each provider has at its disposal, and therefore the risk of passing along data (either legitimately or otherwise) depends on the type of service provided. Cable companies, phone companies, and wireless providers are becoming increasingly interchangeable today, because we make phone calls from our Internet provider, and use our phones to access the Internet. All of this information may be available to your ISP. In 2007, the FCC explicitly extended the application of the Commission’s CPNI rules of the Telecommunications Act of 1996 to providers of interconnected VoIP service. Oddly enough, the same information that can be passed to marketing companies with minimal restriction requires a warrant for law enforcement agencies to access.

– What Are the Risks?
In 2015, AT&T settled with the FCC for a record $25 million dollar penalty after 280,000 names and full or partial SSN’s were accessed without authorization. According to the FCC, employees at AT&T call centers in Mexico, Colombia, and the Philippines gained access to the information while legitimately unlocking cell phones, but then passing that information on to third partied to unlock stolen cell phones. This was the largest settlement for a data security action by far. The second largest was to Verizon Wireless, which had to pay $7.4 million in 2014 after it failed to notify two million of its customers that it was using their information to conduct thousands of marketing campaigns.

2. COPPA

– What is it?
The Children’s Online Privacy Protection Act of 1998 prohibits deceptive marketing to children, or collecting personal information without disclosure to their parents. The ruling took effect in 2000, and was amended in 2011 to require that the data collected was erased after a period of time, and that if any information is to be passed on to a third party, it must be easy for the child’s guardian to protect that information. Personal information, in this case can be the child’s name, the physical or IP address, a username/screen name, social security number, and photos. Companies are not allowed to prompt children to submit that information.

– Who Does it Affect?
The COPPA is enforced by the FTC. The rules of COPPA apply to any website operator or online service provider that collects information about users known to be under the age of 13. Not-for-profits are exempt from COPPA in certain circumstances. In 2014, The FTC issued guidelines that apps and app stores require “verifiable parental consent.” The rules regarding credit card numbers were modified, stating that making a purchase (i.e., spending money) was not necessary to validate a credit card number, but that the credit card numbers alone were not proof of parental consent, and had to be used in conjunction with other measures, such as secret questions.

– What are the Risks?
Xanga, an online blogging and social networking platform, paid the largest settlement, $1 million, in 2006 for violating children’s online privacy without disclosure. Xanga is not to be confused with Zynga, the company behind FarmVille and other cow-clicker games. Games like Candy Crush and Pet Rescue fall into unclear territory, because they are hosted by Facebook, and Facebook is, in theory at least, limited to humans over the age of 13. Many privacy advocates and consumer protection groups lobby for stricter rules regarding these apps.

The Topps Company, parent company of Ring Pops, has earned the wrath of privacy groups for its “#RockThatRock” social media campaign, saying it was marketed to children under 13, and many have also complained that many of the pictures posted sexualized pre-teens. As of this writing, they have not been fined yet.

3. HIPAA

– What is it?
The Health Insurance Portability and Accountability Act dates back to 1996, and Title II specifically sets the rules for electronic health care transaction. In other words, any information about your health that is stored digitally is subject to strict privacy rules. Just as you have doctor-patient confidentiality, your information is also confidential, and can only be shared with your permission or with a judge’s orders.

– Who Does it Affect?
Any covered entity is subject to HIPAA. According to Health and Human Services, this can be a health care provider (Doctor, dentist, pharmacy), a health plan (insurance, HMO, Medicare, Medicaid, The VA), or a health care clearinghouse (a public or private entity that takes information with industry jargon and makes it more readable by a layperson.)

– How must patients be protected?
There are administrative, physical, and technical safeguards to prevent breaches. Administrative safeguards are things like giving/restricting access to who staff that need/don’t need access to information, making sure passwords are changed regularly, and having specific written policies regarding employee conduct. Physical safeguards refer to having in-person access to devices and locations, and includes things like secure locks and alarms, security guards and cameras, and knowing how to safely dispose of old drives. Technical safeguards refer to logging in and out of a workstation, tracking user activity, and secure data encryption.

– What are the Risks?
If information is breached, the affected entity must notify the person whose information was leaked via email or first class mail. In the case of a larger breach, if any event affects more than 500 individuals, they are required to notify “prominent media outlets” and the Secretary of HHS. You can view a list of all reported breaches of information affecting over 500 people here. You can file your own complaint for HHS to review if you or someone you know has had their privacy invaded by mail, fax, or email.

Violating HIPAA can lead to heavy fines or criminal punishment. In 2014, HHS dropped the hammer on New York-Presbyterian Hospital and Columbia University Medical Center after the data on 6,800 patients were available to public search engines; the two hospitals were hit with a combined fine of $4.8 million.

4. SOX

– What is it?
The Sarbanes-Oxley Act of 2002 was created in the wake of the Crash of 2002, in order to prevent nefarious financial activity. Any company that is public traded on a stock exchange is subject to SOX. Section 404 of SOX requires companies to publish information regarding their internal control structure and how accurate their financial records are.

To quote the bill itself, the SEC requires companies to prevent or detect in a timely matter, the “detection of unauthorized acquisition, use or disposition of the issuer’s assets that could have a material effect on the financial statement.”

– Who Does it Affect?
Any company that is public traded on a stock exchange is subject to SOX. Section 404 of SOX requires companies to publish information regarding their internal control structure and how accurate their financial records are.

Sarbanes-Oxley does not make a distinction between tangible and intangible assets. That means that companies must put a value on their future business plans, unannounced products that are still in the testing phase, and anything that can be considered a trade secret. Companies also need to protect themselves against former employees taking trade secrets with them, and even from being given trade secrets by former employees of competitors.

– What Are the Risks?
Any company that is subject to SOX must also have their information audited by a trusted third party. This is sensitive information that is being transmitted and stored, and the auditors and companies must take the utmost care to make sure their information is safe. Look no farther than whatever was in yesterday’s headlines to hear about a company’s documents being leaked, and causing no small amount of embarrassment, loss of confidence by investors, loss of business, and sometimes fines or criminal penalties. It is best practice to require signing a NDA, to conduct interviews that collect information about the person with information and determine the likelihood of data falling into the wrong hands, and to maintain strict records of who has legal access to information and who does not.

5. Telephone Consumer Protection Act / National Do Not Call Registry

– What is it?
The Telephone Consumer Protection Act of 1991 limited the use of robocalls, automatic dialers, and other methods of communication. The Federal Communications Commission left it up to individual companies to establish their own Do Not Call lists, and so it was a big failure. It wasn’t until 2003 that the National Do Not Call Registry was formally established by the Federal Trade Commission as part of the Do-Not-Call Implementation Act of 2003. Many VoIP contact centers use the abbreviation TCPA when talking about their compliance with the National Do Not Call Registry.

Who Does it Affect? According to the FTC, if a business has an established relationship with a customer, it can continue to call them for up to 18 months. If a consumer calls the company, say, to ask for information about the product or service, the company has three months to get back to him. In both of the cases I just mentioned, if the customer asks to not receive calls, the company must stop calling, or be subject to fines.

The following types of calls are exempt, barring a specific complaint, from the Do Not Call Registry:

Calls from a not-for-profit B organization. Not all not-for-profits are automatically exempt.

Certain kinds of informational messages, but not promotional messages (e.g., a flight cancellation is exempt, a sale on plane tickets is not).

Calls to vote for a political candidate.

Solicitations for charitable donation.

Calls to a business, even cold calls to elicit sales.

Calls from debt collectors, but debt collectors do have their own laws regarding who and when they can call.

– What Are the Risks?
The maximum fine for calling someone on the DNCR is $16,000. Putting your phone on the registry is as easy as visiting the web site donotcall.gov, or calling 1-888-382-1222 from the phone you want on the list. Although you may have read some email or social media post to the contrary, once a number is on the list, it stays on the list forever unless it is actively removed. All cellular phones are on the list by default. As of this writing, there is no such thing as a “Do Not Text” registry, and so-called “junk faxes” are subject to their own regulations.

– Who Does it Affect?
Imposes requirements for a personal data privacy and security program on business entities that maintain sensitive personally identifiable information in electronic or digital form on 10,000 or more U.S. persons. Many VoIP providers have over 100,000 customers. There’s a good chance your business VoIP provider of choice has this requirement. The rules also apply to interstate data brokers with information on more than 5,000 people, but VoIP providers are not considered data brokers.

– What Are The Risks?The perpetrator of the crime itself, which is intentionally accessing a computer without authorization, may be charged with racketeering. But, as for the company that is a victim of this attack, intentionally hiding a security breach of “sensitive personally identifiable information” can lead to a fine and/or five years in prison. This covers the victim’s name, social security number, home address, fingerprint/biometrics data, date of birth, and bank account numbers.

Any company that is breached must notify the affected individuals by mail, telephone, or email, and the message must include information on the company and how to get in touch with credit reporting agencies (i.e., to get help fixing their credit). It must also report the breach to consumer reporting agencies. The breach must also be reported to major media outlets if more than 5,000 affected individuals are in one state.

The company must also contact the Secret Service within fourteen days if one or more of the following happen: The database contains information on more than one million individuals; the breach affects more than 10,000 individuals; the database is a federal government database; the breach affects individuals known to be government employees or contractors involved in national security or law enforcement. That information will then be passed from the Secret Service to the FBI, the United States Post Office, and the attorneys general of each affected state.

In conclusion:

Every two days, more information is generated than all of written history up to 2003. Much of this is information that would have been impossible to document properly until the past decade or so, and until even more recently, impractical to store and unfeasible to move. Safeguards like these laws exist so that we can restrict that information to ethical people, who can do the right thing for their patients, clients, or whatever the relationship is. We always hear about databases being breached, and now you have a better idea of what will happen to the company that allowed itself to be hacked, and what they should have done to prevent it. Rest easy knowing you, the consumer, are safer because of these rules.